CVE-2023-41044

Name of the Vulnerable Software and Affected Versions Graylog versions prior to 5.1.3

Description A partial path traversal vulnerability exists in Graylog's Support Bundle feature, caused by incorrect user input validation in an HTTP API resource. This allows an attacker with valid Admin role credentials to download or delete files in sibling directories of the support bundle directory. The default data directory for the Support Bundle feature is set to /var/lib/graylog-server/support-bundle in operating system packages and /usr/share/graylog/data/support-bundle in Docker images. An attacker can read or delete files in directories that start with the support bundle directory name, such as /var/lib/graylog-server/support-bundle-test and /var/lib/graylog-server/support-bundlesdirectory.

Recommendations For versions prior to 5.1.3, upgrade to version 5.1.3 or later. As a temporary workaround for users unable to upgrade, block all HTTP requests to the following API endpoints by using a reverse proxy server in front of Graylog: GET /api/system/debug/support/bundle/download/{filename} DELETE /api/system/debug/support/bundle/{filename}